docs(csec): add cybersecurity toolkit catalog

[Bad3r]

Summary

• Adds two long-form references under docs/csec/:
  • toolkit.md describes every cybersecurity-relevant package this repo ships across recon, web testing, credential attacks, RE, forensics, and dual-use utilities.
  • additional-tools-reference.md catalogs pentesting tools available via nix run/nix shell that complement the active toolkit, grouped by domain (AD, recon, web, credentials, wireless, RE, forensics, stego, SAST, cloud, pivoting).
• Adds modules/csec/additional-tools-runtime-status.md to track which nixpkgs entries currently build cleanly so the additional-tools list stays honest.
• Wires both toolkit pages into docs/index.md under a new Cybersecurity section.
• Allowlists gost (GO Simple Tunnel, ginuerzh/gost) in .typos.toml so the typos hook does not flag the genuine tool name as a misspelling of "ghost".

Test plan

• nix develop -c pre-commit run --all-files --hook-stage manual — typos and treefmt pass.
• Reviewer skims docs/csec/toolkit.md and docs/csec/additional-tools-reference.md for accuracy.

[claude]

Claude finished @Bad3r's task in 4m 53s —— View job

---

Review summary

Two well-organized catalogs that fill a real documentation gap, plus one supporting .typos.toml allowlist entry. The structure, tone, and per-entry format are consistent and easy to skim. The standout strength is the additional-tools-reference.md/additional-tools-runtime-status.md pairing: smoke-tested invocations with explicit ⚠️ failure receipts is much more honest than the usual "here is a list" approach.

The blocking concerns are factual — docs/csec/toolkit.md documents tooling and an option namespace that this repo does not ship. Details below.

---

Blocking issues

1. csec.wordlists.* option namespace does not exist in this repo — docs/csec/toolkit.md:205-227

The doc says "When csec.wordlists.enable = true is set on a host, this configuration exposes the bundled wordlists under the Kali-style canonical paths" and goes on to describe csec.wordlists.extraLinks, auto-discovery via builtins.readDir ${pkgs.wordlists}, and /usr/share/wordlists/... symlinks.

I grepped exhaustively (modules/, packages/, all *.nix):

• no csec option namespace anywhere (modules/csec/ only contains the new additional-tools-runtime-status.md)
• no pkgs.wordlists meta-package consumer
• no /usr/share/wordlists/* environment.etc/symlink wiring
• no wordlists.enable or wordlists.extraLinks option declaration

This entire section describes infrastructure that is not implemented. Either land the module first, gate the section behind a "Planned" header, or remove it. As-is it will mislead operators into running a csec.wordlists.enable = true line that is a no-op (and would actually fail to evaluate with an unknown option).

Fix this →

2. Seven tools listed in toolkit.md are not actually shipped by this configuration

The doc opens with "Source of truth: each host's apps-enable.nix." The following entries are documented as part of the active toolkit but have no module under modules/apps/<name>.nix and no entry in either modules/system76/apps-enable.nix or modules/tpnix/apps-enable.nix:

Tool	Section in toolkit.md
dnsenum	Network Reconnaissance & Enumeration
ffuf	Web Application Testing & Proxies
wfuzz	Web Application Testing & Proxies
wpscan	Web Application Testing & Proxies
xnlinkfinder	Web Application Testing & Proxies
nuclei	Auditing & Vulnerability Assessment
nuclei-templates	Auditing & Vulnerability Assessment

These belong in additional-tools-reference.md (the "available via nix run" catalog) rather than toolkit.md. The closest neighbor nikto/naabu/shuffledns are already correctly placed there.

Fix this →

3. netcat Repo/Docs/Stat fields describe the wrong upstream — docs/csec/toolkit.md:720-725

- netcat
  - Repo.: <https://nc110.sourceforge.io/>
  - Stat.: Deprecated (latest release 1996-03-20; original Hobbit netcat unmaintained, ...)

But modules/apps/netcat.nix:1-6 packages the LibreSSL/OpenBSD-derived netcat:

Description: Utility which reads and writes data across network connections, using the LibreSSL implementation.
Homepage: https://www.libressl.org
Repository: https://github.com/libressl/portable

The Repo, Docs, and Stat fields should reflect what the host actually installs (LibreSSL, maintained), not Hobbit's 1996 nc110 — those are different projects and different maintenance stories. Same entry classification flows into the catalog's "deprecated tools" tally.

Fix this →

---

Non-blocking issues

4. modules/csec/additional-tools-runtime-status.md placement — this is documentation that lives under modules/, which (per CLAUDE.md and the import-tree discovery filter) is reserved for Nix modules. It is harmless at evaluation time because import-tree only picks up .nix files, but it's structurally inconsistent with the rest of the repo: every other markdown file under documentation lives in docs/. Consider docs/csec/additional-tools-runtime-status.md instead, then update the cross-reference at docs/csec/additional-tools-reference.md:3 / wherever this is linked. (Currently nothing in this PR actually links to it.)

5. Awkward relative links — docs/csec/additional-tools-reference.md:3 and :888:

[`docs/csec/toolkit.md`](../../docs/csec/toolkit.md)
[`docs/guides/apps-module-style-guide.md`](../../docs/guides/apps-module-style-guide.md)

Both files live in docs/csec/, so the natural form is [toolkit.md](toolkit.md) and [apps-module-style-guide.md](../guides/apps-module-style-guide.md). The ../../docs/... form resolves correctly but rebases through the repo root for no reason.

6. Several "Maintained (latest release 2026-05-XX)" dates exactly match the 2026-05-04 verification stamp — e.g. katana v1.6.0, 2026-05-04, kubescape v4.0.6, 2026-05-04, maltego 4.11.3, 2026-05-04, azd 2026-05-02, wakaru 2026-05-03, xxd 2026-05-03, poppler-utils 2026-05-03. Possible but unusually clustered around the verification date. Worth a spot-check pass on the GitHub release pages to make sure these aren't transcription artifacts from "today".

7. unzip/zip flagged Deprecated without a replacement note — docs/csec/toolkit.md:864-875. Other "Deprecated" entries point to a successor (e.g. dirbuster → "superseded by gobuster/feroxbuster"; iotop → "consider iotop-c fork"). For zip/unzip the bsdunzip/p7zip-handles-zip story is worth one line so a reader doesn't think there's no path forward.

8. bzip2/tar "Maintenance mode" claims — bzip2 1.0.8 (2019) on GitLab and GNU tar 1.35 (2023) are both effectively core utilities, not "active commits but no recent tag". This is a small framing issue; consider just dropping the explicit Stat for utilities of this class, or moving them to a footer note like "core POSIX utilities are not classified".

---

Things done well

• Per-entry format (run../Repo./Docs./Desc./Stat.) is consistent across both files and easy to grep.
• The smoke-test report (additional-tools-runtime-status.md) ties failure modes back to root causes (Ruby gem missing, Python 3.13 incompat, attribute name collision with unrelated upstream, unfree licensing, closure size budget). That's exactly the right level of detail for a future maintainer reproducing the run.
• Inline ⚠️ notes on the affected tools in additional-tools-reference.md mean a reader doesn't have to cross-reference the runtime-status report to know the tool is broken — they see it at point-of-use.
• The gost allowlist in .typos.toml correctly preserves the typo-checker's signal for everything else.
• docs/index.md change adds a single, scoped "Cybersecurity" section in the existing style. No other categories disturbed.

---

Validation

• Did not run nix flake check — change is documentation-only plus a typos.toml allowlist entry; per CLAUDE.md value-level non-Nix changes don't require it. PR author already ran pre-commit run --all-files --hook-stage manual.

Checklist

• Read changed files
• Cross-check toolkit doc claims against repo modules
• Verify additional-tools list against apps-enable.nix wiring
• Validate doc structure, internal links, and conformance with docs/ style
• Verify modules/csec/ location for a markdown-only file
• Post comprehensive review
  · docs/csec-toolkit

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 39788f5974

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[gemini-code-assist]

Code Review

This pull request establishes a comprehensive cybersecurity documentation framework, adding a primary toolkit catalog and an extensive reference for additional pentesting tools available via Nix. It also includes a runtime status report based on smoke tests of the documented tools. The reviewer feedback identifies several inaccuracies in the tool invocation examples, specifically regarding mismatched binary names, outdated subcommands, and missing environment flags for unfree packages.

[Bad3r]

Review feedback addressed

Six atomic commits land on this branch. Each maps to one logical concern from the review.

Commit	Concern	Source
c16055d9	Relocate runtime-status report under docs/csec/ and link from the reference catalog	Non-blocking #4
ad47cd6a	Drop the csec.wordlists.* section + move 7 unshipped tools to the additional-tools reference	Blocking #1, #2
46f7c29f	Repoint netcat Repo/Docs/Stat at LibreSSL portable	Blocking #3
3e533712	Tighten archive utility classifications (Core utility tier, zip/unzip successor pointers)	Non-blocking #7, #8
fd2ea924	Use sibling-relative links inside docs/csec	Non-blocking #5
84a72b54	Correct run..: commands for impacket, kerbrute, gowitness, pwntools, volatility3, hayabusa, scoutsuite, ligolo-ng, frp	Inline P2/medium/high comments

Accepted

Blocking #1 — csec.wordlists.* namespace does not exist. Confirmed by rg -F 'csec.wordlists' returning only the doc itself and rg -F '/usr/share/wordlists' returning zero hits in *.nix. Removed the entire section. Replaced it with a short pointer to the canonical share/<tool>/ trees that the listed packages already expose, resolvable via nix eval --raw nixpkgs#<pkg>. No fictional infrastructure remains in the catalog.

Blocking #2 — seven tools not shipped. Confirmed against modules/system76/apps-enable.nix and modules/tpnix/apps-enable.nix; none of dnsenum, ffuf, wfuzz, wpscan, xnlinkfinder, nuclei, nuclei-templates is wired in, and none has a matching modules/apps/<name>.nix. Moved every entry to docs/csec/additional-tools-reference.md under the right section. Each entry switches from a bare-binary invocation to nix run nixpkgs#<attr>. wpscan ships unfreeRedistributable upstream, so the run command carries the explicit NIXPKGS_ALLOW_UNFREE=1 --impure prefix.

Blocking #3 — netcat is LibreSSL, not Hobbit nc110. pkgs/by-name/li/libressl/default.nix builds with -DENABLE_NC=ON and exposes bin/nc through the nc output, which pkgs.netcat aliases. Repo points at libressl/portable, Docs at OpenBSD nc(1), Desc clarifies the LibreSSL provenance, Stat flips to Maintained with the LibreSSL 4.2.1 cadence noted.

Non-blocking #4 — runtime-status doc location. Moved to docs/csec/additional-tools-runtime-status.md and linked from the reference catalog so it is reachable.

Non-blocking #5 — awkward relative links. Switched to the sibling form (toolkit.md) and ../guides/apps-module-style-guide.md.

Non-blocking #7 — zip/unzip successor pointers. Added bsdunzip (libarchive) and 7z x (p7zip) for unzip; bsdtar --format zip and 7z a for zip. Matches the precedent set by dirbuster -> gobuster/feroxbuster and iotop -> iotop-c.

Non-blocking #8 — bzip2/tar framing. Introduced a fourth Stat tier, Core utility, in the catalog header and reclassified bzip2 1.0.8 and GNU tar 1.35 under it. Avoids implying an upstream cadence those projects never had.

Inline comments — run..: commands now match the shipped binary.

Tool	Old	New
impacket	impacket-secretsdump alias (does not exist)	secretsdump.py (real script)
kerbrute	kerbrute -- userenum -d $domain (ropnop CLI)	kerbrute -- -domain $domain -users users.txt -passwords passwords.txt (Tarlogic Python tool, which is what nixpkgs#kerbrute actually packages)
gowitness	single -u $url (v2)	scan -u $url (v3 rename)
pwntools	nix run nixpkgs#pwntools (mainProgram unset)	nix shell nixpkgs#pwntools -c pwn -- shellcraft …
volatility3	nix run nixpkgs#volatility3 -- -f $memdump … (binary missing, license unfree)	NIXPKGS_ALLOW_UNFREE=1 nix shell --impure nixpkgs#volatility3 -c vol -- -f $memdump …
hayabusa	nix run nixpkgs#hayabusa -- csv-timeline … (resolves to koutoftimer's IPC daemon, not the EVTX scanner)	Must create a custom nixpkg (consistent with falco / velociraptor / pwndbg)
scoutsuite	uvx scoutsuite (entry point is scout)	uvx --from scoutsuite scout
ligolo-ng	nix run nixpkgs#ligolo-ng (no ligolo-ng binary)	nix shell nixpkgs#ligolo-ng -c ligolo-proxy …
frp	nix run nixpkgs#frp -- -c frpc.toml (no default app)	nix shell nixpkgs#frp -c frpc -- -c frpc.toml

Verbose inline ⚠️ Failed to run notes were removed where the run command is now correct; the runtime-status report retains the full failure receipts as a historical record. The kerbrute entry also repoints Repo/Docs from ropnop/kerbrute to TarlogicSecurity/kerbrute to match what nixpkgs actually ships, and calls out ropnop's separate Go upstream as not packaged.

Acknowledged but not changed

Non-blocking #6 — clustered "2026-05-XX" dates. The dates were transcribed from upstream tags and release pages by hand on 2026-05-04, and the clustering is real (kubescape v4.0.6, katana v1.6.0, syft v1.44.0, grype v0.112.0, prowler v5.25.1, semgrep v1.161.0, nuclei v3.8.0 all tagged inside the same week). I have not re-fetched them in this loop, so the verification timestamp is the original one. If a future smoke-test discovers drift, the runtime-status report is the right place to catch it.

Threads resolved

All 11 inline review threads (PRRT_kwDOPeLwm85_…) are marked resolved against the relevant commit above.

Test plan

• pre-commit run --all-files --hook-stage manual (typos + treefmt) on each commit.
• rg -nE '(impacket-secretsdump|kerbrute -- userenum|gowitness.*-- single|nix run nixpkgs#pwntools|volatility3 -- -f|hayabusa -- csv|uvx scoutsuite|nix run nixpkgs#ligolo-ng|nix run nixpkgs#frp)' returns no broken invocations.
• rg -F csec.wordlists returns no hits anywhere in the tree.
• All 7 moved tools are absent from docs/csec/toolkit.md and present exactly once in docs/csec/additional-tools-reference.md.

[claude]

Claude finished @Bad3r's task in 3m 4s —— View job

---

Follow-up review

All seven items from the prior review are landed correctly across the six follow-up commits, plus the inline run..: corrections that came in via 84a72b5. Verified each against the working tree.

---

Verification matrix

Concern	Commit	Verified by	Result
Blocking #1 — csec.wordlists.* removed	ad47cd6	rg -F 'csec.wordlists' docs/ modules/ packages/ → 0 hits; rg -F /usr/share/wordlists --type=nix → 0 hits	OK
Blocking #2 — 7 tools moved	ad47cd6	Each of dnsenum, ffuf, wfuzz, wpscan, xnlinkfinder, nuclei, nuclei-templates → 0 hits in toolkit.md, exactly 1 entry in additional-tools-reference.md	OK
Blocking #3 — netcat = LibreSSL	46f7c29	toolkit.md:661-666 — Repo libressl/portable, Docs man.openbsd.org/nc.1, Stat Maintained (LibreSSL 4.2.1)	OK
NB #4 — runtime-status under docs/csec/	c16055d	File at docs/csec/additional-tools-runtime-status.md; cross-link at additional-tools-reference.md:5	OK
NB #5 — sibling-relative links	fd2ea92	rg '\.\./\.\./docs/' docs/csec/ → 0 hits; style-guide link normalized to ../guides/apps-module-style-guide.md	OK
NB #7/#8 — archive/core utilities	3e53371	Header at toolkit.md:14 defines new Core utility tier; bzip2 and tar reclassified; unzip/zip carry bsdunzip/bsdtar/p7zip successor pointers	OK
Inline run..: fixes	84a72b5	rg for the 9 stale invocations → 0 hits; entries inspected individually below	OK

Inline run..: audit

Tool	New run..:	Note
impacket	nix shell nixpkgs#python3Packages.impacket -c secretsdump.py -- ...	Drops the non-existent impacket-secretsdump alias.
kerbrute	nix run nixpkgs#kerbrute -- -domain $domain -users users.txt -passwords passwords.txt	Repo/Docs repointed at TarlogicSecurity/kerbrute; ropnop is called out as a separate, unpackaged upstream.
gowitness	nix run nixpkgs#gowitness -- scan -u $url	v3 rename applied.
pwntools	nix shell nixpkgs#pwntools -c pwn -- shellcraft amd64.linux.sh	Sidesteps missing meta.mainProgram.
volatility3	NIXPKGS_ALLOW_UNFREE=1 nix shell --impure nixpkgs#volatility3 -c vol -- ...	Unfree prefix + vol binary.
hayabusa	Must create a custom nixpkg	Aligned with the falco/velociraptor/pwndbg precedent.
scoutsuite	uvx --from scoutsuite scout $provider	Fixes the entry-point name.
ligolo-ng	nix shell nixpkgs#ligolo-ng -c ligolo-proxy -- -selfcert -laddr 0.0.0.0:11601	Uses real ligolo-proxy binary.
frp	nix shell nixpkgs#frp -c frpc -- -c frpc.toml	Uses real frpc binary.

⚠️ Failed to run notes were stripped from these nine entries (verified via awk/grep -c '⚠️' per entry → 0). The runtime-status report retains the historical receipts (8 mentions of impacket, 4 of pwntools and scoutsuite, etc.) so the failure provenance is not lost.

---

Residual non-blocking observations

These are not blockers and the PR author already explicitly chose not to re-fetch dates per NB #6 — surfacing for awareness only.

A. wfuzz Stat field — likely transcription artifact (NB #6, deferred) — additional-tools-reference.md:341.
The entry currently reads Stat.: Maintained (latest release 2026-01-21). xmendez/wfuzz upstream stopped tagging at v3.1.0 in 2020; the maintainer publicly archived the project. If a re-verification pass is ever scheduled, wfuzz is the strongest candidate to flip to Deprecated alongside the existing classifications. Not blocking — the prior review already accepted that the dates were transcribed by hand on 2026-05-04 and would be reconciled on the next smoke-test run.

B. additional-tools-runtime-status.md not linked from docs/index.md — docs/index.md:83-88.
The Cybersecurity section indexes toolkit.md and additional-tools-reference.md but not the runtime-status report. The reference doc links to it inline (line 5), so it's reachable; just noting that an operator skimming docs/index.md won't see the smoke-test record from the top level. Adding a third bullet — or leaving the runtime-status report as a child of the reference doc — both work; current setup is consistent with treating it as an appendix.

---

Things done well in this round

• The kerbrute correction goes beyond the inline comment: the Repo/Docs URLs were repointed at TarlogicSecurity/kerbrute (the upstream that nixpkgs actually packages) and ropnop's separate Go tool is called out as not-packaged. That avoids a second-order confusion the reviewer didn't even raise.
• wpscan correctly carries the NIXPKGS_ALLOW_UNFREE=1 ... --impure prefix in its new home — that's not one the inline comments asked for, but it's the right call given the unfreeRedistributable marker.
• The new Core utility Stat tier (toolkit.md:14) is a tidy way to handle the bzip2/tar framing without inventing a release cadence those projects don't have.
• Six atomic commits, one logical concern each. Easy to review, easy to revert any single change in isolation.

---

Checklist

• Verify Blocking feat: add nixos app helpers #1 — csec.wordlists.* section removed
• Verify Blocking docs: normalize filenames to kebab case #2 — 7 unshipped tools moved to additional-tools-reference.md
• Verify Blocking feat(claude-code): manage claude shell config declaratively #3 — netcat repointed at LibreSSL
• Verify NB feat: Add Claude Code GitHub Workflow #4 — runtime-status doc relocated under docs/csec/
• Verify NB feat(cf-auto-docs): NixOS module documentation API via CloudFlare #5 — sibling-relative links in docs/csec/
• Verify NB feat(claude-code): manage claude shell config declaratively #7/feat: add Espanso text expander #8 — archive/core-utility classifications
• Verify inline run..: corrections (impacket, kerbrute, gowitness, pwntools, volatility3, hayabusa, scoutsuite, ligolo-ng, frp)
• Spot-check unchanged content for residual claims about non-existent infra

Validation

• Did not run nix flake check — change is documentation-only plus a .typos.toml allowlist entry; per CLAUDE.md value-level non-Nix changes don't require it.
  · docs/csec-toolkit

[Bad3r]

Round 2 follow-up

Two residual observations from 25340197722. Reply plus one additional commit (cc75b171).

Observation B: runtime-status missing from docs/index.md — accepted

cc75b171 adds the bullet under the existing Cybersecurity heading so the smoke-test companion is reachable from the docs root, not only via the inline cross-link inside additional-tools-reference.md:5. Treats the runtime-status report as a peer of the reference catalog rather than an appendix, matching how r2-cloud/ lists each subdoc.

Observation A: wfuzz Stat field — rejected

Verified upstream state on 2026-05-04 via the GitHub API:

$ gh api repos/xmendez/wfuzz --jq '{archived, pushed_at}'
{"archived":false,"pushed_at":"2026-01-21T15:31:40Z"}

$ gh api repos/xmendez/wfuzz/releases --jq '[.[] | {tag_name, published_at}] | .[0:3]'
[
  {"tag_name":"v3.1.1","published_at":"2026-01-21T15:31:40Z"},
  {"tag_name":"v3.1.0","published_at":"2020-11-06T10:42:36Z"},
  {"tag_name":"v3.0.3","published_at":"2020-10-24T17:38:05Z"}
]

xmendez/wfuzz is not archived, and v3.1.1 was tagged on 2026-01-21 — exactly the date the catalog records and well inside the Maintained threshold (release on/after 2025-01-01). The 5-year gap between v3.1.0 (2020-11) and v3.1.1 (2026-01) is real, but the project resumed releases this year. Maintained (latest release 2026-01-21) stands.

State

All review threads from rounds 1 and 2 resolved. Seven atomic commits on the branch:

cc75b171 docs(index): list additional-tools runtime-status alongside the catalog
84a72b54 docs(csec): correct documented run commands to match shipped binaries
fd2ea924 docs(csec): use sibling-relative links inside docs/csec
3e533712 docs(csec): tighten archive utility classifications
46f7c29f docs(csec): align netcat entry with the LibreSSL build the host installs
ad47cd6a docs(csec): align toolkit catalog with shipped configuration
c16055d9 docs(csec): relocate runtime-status report under docs/csec

[claude]

Claude finished @Bad3r's task in 2m 16s —— View job

---

Round 3 review

cc75b171 lands the only outstanding follow-up from round 2 (the docs/index.md link to the runtime-status report). Re-verified everything else against the working tree and have nothing further to flag — this is shippable as documentation.

---

Verification

Item	Verified by	Result
Observation B (round 2) — runtime-status linked from docs root	docs/index.md:89-90 shows the new bullet under the Cybersecurity section	OK
Bullet description (Smoke-test report... records which entries launched cleanly...) is consistent with the parent two bullets' style	Read docs/index.md:83-90	OK
Sibling-relative link form preserved	docs/index.md uses csec/additional-tools-runtime-status.md, matching the csec/toolkit.md and csec/additional-tools-reference.md neighbors	OK
Observation A (round 2) — wfuzz Stat	Author posted gh api evidence (v3.1.1 published 2026-01-21T15:31:40Z, archived: false)	Author's evidence is sound; withdrawn

Re-confirmation of round 1 / round 2 fixes (no regressions)

Concern	Spot-check	Result
csec.wordlists.* removed	rg -F 'csec.wordlists' docs/ modules/ packages/ → 0 hits; rg -F /usr/share/wordlists --type=nix → 0 hits	OK
7 unshipped tools out of toolkit.md, present in additional-tools-reference.md	Per-tool grep loop: dnsenum, ffuf, wfuzz, wpscan, xnlinkfinder, nuclei, nuclei-templates each toolkit=0 reference=1	OK
netcat aligned with LibreSSL	toolkit.md:661-666 — Repo libressl/portable, Docs man.openbsd.org/nc.1, Stat Maintained (LibreSSL 4.2.1)	OK
Sibling-relative links inside docs/csec/	rg '\.\./\.\./docs/' docs/csec/ → 0 hits	OK
Inline run..: corrections (impacket, kerbrute, gowitness, pwntools, volatility3, hayabusa, scoutsuite, ligolo-ng, frp)	Read each entry; grep -E '(impacket-secretsdump|kerbrute -- userenum|gowitness.*-- single|nix run nixpkgs#pwntools|volatility3 -- -f|hayabusa -- csv|uvx scoutsuite|nix run nixpkgs#ligolo-ng|nix run nixpkgs#frp )' docs/csec/additional-tools-reference.md → 0 hits	OK
Core utility Stat tier	toolkit.md:14 defines it; bzip2 (:756) and GNU tar (:804) reclassified	OK
unzip/zip successor pointers	toolkit.md:805-816 — bsdunzip / 7z x for unzip; bsdtar --format zip / 7z a for zip	OK

Catalog totals

grep -cE '^- [a-z]' reports 156 entries in toolkit.md and 144 entries in additional-tools-reference.md. No entry duplicated across the two files (already verified via the per-tool grep loop above).

---

Final assessment

The wfuzz rebuttal is fair: the author posted authoritative gh api data showing v3.1.1 was tagged on 2026-01-21 and the upstream is not archived, so Maintained is correct. The 5-year gap between v3.1.0 and v3.1.1 is real but does not by itself disqualify the project from the catalog's threshold (any release ≥ 2025-01-01).

The cc75b171 index update is the right call: treating the runtime-status report as a peer-level entry in docs/index.md keeps it discoverable from the docs root, while the inline cross-link in additional-tools-reference.md:5 continues to give it the appendix relationship to the catalog.

No further blocking or non-blocking issues identified. All review threads from rounds 1, 2, and 3 are resolvable from this branch.

---

Validation

• Did not run nix flake check — change is documentation-only plus a .typos.toml allowlist entry; per CLAUDE.md, value-level non-Nix changes do not require it.
• Re-verified branch state at cc75b171.

Checklist

• Sync local checkout with cc75b171
• Verify docs/index.md runtime-status entry (Observation B)
• Re-evaluate wfuzz rebuttal against author's gh api evidence (Observation A)
• Re-confirm round 1 / round 2 fixes still hold
• Catalog totals + cross-file deduplication
• Post review
  · docs/csec-toolkit